This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hey,
I am unable to add an item in my choice of watchlists using entities like an account, computer, hostname, or IP address, the step where the watchlist condition will take an input is being skipped by the logic app, can anyone help regarding this.
TIA
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMU%3C/text%3E%3C/svg%3E)
Hello @Anonymous - Could you confirm that you're using the "Watchlists - Add a new watchlist item" action? Also, I would try in Code View as well.
Hey @Mike Urnun - Yep I am using that particular action, attaching pictures for reference.
Hi @Anonymous - My apologies for the late reply. If you're still encountering this issue, it looks like the "Add items to watchlist" actions are being skipped because there may not have been any data flowing through from the upstream trigger/actions. Did you check the RunHistory and validate if the correct set of data is actually being populated from the trigger itself?
Hey @Mike Urnun , check this tech community page where I had a discussion with another engineer, please let me know if you can guide further.
https://techcommunity.microsoft.com/t5/azure-sentinel/unable-to-utilize-logics-apps-to-feed-data-in-a-watchlist/m-p/2770130/emcs_t/S2h8ZW1haWx8bWVudGlvbl9zdWJzY3JpcHRpb258S1RVMVdFOVNOS0o1T098Mjc3MDEzMHxBVF9NRU5USU9OU3xoSw#M4095
Hello @Anonymous - I read your discussion on the Tech Community link and it looks like the same observation was made for the root cause of the issue. Logic Apps workflows execute in a top-down direction so the trigger is the component that is supposed to feed data to the rest of the subsequent Actions in your workflow. In your case, you're getting successful runs but yet no data is flowing through your workflow.
As such, in order to investigate further and as the next step, I recommend that you carefully review the Run History (of the successful runs of your Logic App workflow) and validate the inputs and outputs from the trigger as well as from parallel branches of actions: Entities - Get Accounts, Entities - Get Hosts, etc.
The exact steps on how to review Trigger and Run histories separately in greater detail are on the following documentation: Monitor run status, review trigger history, and set up alerts for Azure Logic Apps
Also, I found the following blog post which seems to be implementing a similar workflow: How to Use the Watchlists Logic App Connector for Azure Sentinel
Let me know if you find something in the Trigger/Run History or run out of options, I'd be happy to dig deeper and help you get the workflow up and running.
Hey @Mike Urnun thank you for the feedback, this is where I am getting it, I did some troubleshooting but unfortunately wasn't able to fetch the issue of why the data is not flowing through, however, I will check your provided logic app link.
About the workflow, by Rod, I followed it and reached out to him but that didn't work, it wasn't executable or we can say a lot has changed since that blog release in Watchlists.
@Anonymous Yes, check out that doc on how to troubleshoot using trigger/run history. Since your trigger is firing in response to an event, you should be able to drill down in the trigger history to probe the input event data as well as the output data that should have been passed down to your parallel branches. I'd also look at Run History and do the same drill down into the input data of the parallel actions too.